On May 3, 2022 the European Commission ("EC") released a proposal of the European Parliament and of the Council for a European Health Data Space ("EHDS") Regulation. Timelex had the honour of assisting the EC inpreparing a study supporting the impact assessment of policy options for an EU initiative on an EHDS.
The overarching purpose of the proposed act is tostrengthen patients' rights to health dataandopen up the registries containing medical datatomakebetter use ofit, both for the patients and larger community. In this blog post, we discuss the approach of the European Commission to untapping potential of health data under the EHDS Regulation.
The goals of EHDS Regulation
The draft EHDS Regulation is the first proposal of a domain-specific common European data space which was outlined by theEuropean strategy for data. Importantly, the proposal does not aim to regulate how healthcare will be provided by individual Member States. The specific goals set by the proposal include:
- reinforcing the rights of natural persons (patients) in relation to theavailability and controlof their electronic health data;
- providing rules and mechanisms supporting theresearch and fact-based policy makingwith the use ofelectronic health data;
- laying down harmonized requirements for electronic health records ("EHR") systems on the EU market;
- establishing mandatorycross-border infrastructureenabling the primary and secondary use of electronic health data across the EU.
The changes proposed by the EHDSRegulation will be relevant toall stakeholdersin the health data life cycle, including: patients, hospitals and providers of EHR solutions and wellness applications, as well as researchers and authorities which access the data ("data users").
Primary and secondary use of electronichealth data
Pivotal term used by EHDS Regulation iselectronic health data, which covers:
- personal electronic health data: data concerning health and genetic data as defined in the GDPR, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services processed in an electronic form; and
- non-personal electronic health data: means data concerning health and genetic data in electronic format that falls outside the definition of personal data provided in GDPR.
Suchbroad definitionis intended to capture all categories of medical data, irrespective of the source of it (patient or another person, such as a health professional) and including also inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means (e.g. via medical devices).
The proposed EHDS Regulation differentiates between two general contexts of use of electronic health data:
Primary use of electronic health data |
Secondary use of electronic health data |
|
Note that this term isnotthe same as the notion of "further processing" of personal data under article 6(4) GDPR. Under EHDS Regulation it will be possible that electronic health data is specifically collected for secondary use. |
New patients rights regarding access and control over their health data
The proposed EHDS Regulation will strengthen the rights of patients to their electronic health data beyond those already provided in the GDPR. Building on the concepts of the right to access, the right to portability and the right to rectification, the patients will be empowered to:
- accesstheir personal electronic health data processed in the context of primary use. They should be provided with their dataimmediately,free of chargeandin an easily readable, consolidated and accessible form. However, to protect the well-being of the patients (for e.g. with respect to information on serious diagnosis, which should be explained by the doctor), there may be some exceptions to this rule;
- inserttheir electronic health data into their own EHR, however such data will be clearly marked as provided by the patients. This may be useful to rectify the incorrect information or add data from a wellness app;
- give access to data or to request a data transferto a data recipient of their choice, immediately, free of charge and without hindrance. If the data recipient is from another Member State, most relevant health information (including, for example, patient summaries, discharge reports, electronic prescriptions and lab results, so-called "priority categories") should be transferred inEuropean electronic health record exchange format. This will be relevant for patients who cross Member State borders to work, study, visit relatives or who travel and need to make their EHR available to doctors in another EU country;
- restrict access of health professionalsto all or part of their electronic health data. In other words, the patient may decide how much of their health record is disclosed to their doctor. Member States may establish the rules and specific safeguards regarding such restriction mechanisms;
- obtaininformation on the healthcare providers and health professionals who have accessed their electronic health data in the context of healthcare.
On the other hand, health professionals will:
- have accessto the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment;
- ensure that the personal electronic health data of the natural persons they treat areupdatedwith information related to the health services provided.
To achieve these goals, EU is planning to expand the existing cross border infrastructure to support primary use of data (MyHealth@EU). The draft regulation empowers the Commission to issue a series of implementing acts on various aspects of MyHealth@EU. The strengthened infrastructure will consist of a central platform and national contact points established by the Member States, to which the health providers will be connected to exchange the data. Finally,digital health authoritieswill be responsible for implementation and enforcement in the context of primary use.
Standards for electronic health record (EHR) systems and interoperability of medical devices and AI systems
EHR systems are the backbone of the data exchange system envisioned by the draft EHDS Regulation and their interoperability with other systems is key. Hence, the proposed regulation lays downrules for EHR systems for primary use of priority categories of electronic health data. For example, such EHR systems may be placed on the EU market or put into service only if they comply with the essential requirements laid down by the Regulation. The manufactures will need to draw up a EU declaration of conformity and affix the CE marking before putting a EHR system on the market.
The proposal also puts forthvoluntarylabelling scheme forwellness applications and high-risk AI systemswhich claim interoperability with EHR systems.
Making health data available for research and policy goals
The provisions on secondary use are intended to fuel health research and innovation, both for private and public initiatives, as well as informed policy making. The proposed system will be built on three actors: health data access bodies, data holders and data users. Their roles are described below.
Health data access bodies |
Data holders |
Data users |
|
|
|
Safeguards for ensuring privacy of patients and cross border cooperation within EU
Data for secondary use may be provided inanonymizedformat or inpseudonymizedformat (only if the purpose of the data user's processing cannot be achieved with anonymised data). The information necessary toreverse the pseudonymisationshall be available only to the health data access body.
The health data access bodies will provide access to electronic health data only through asecure processing environment,which provide technical and organisational measures and fulfil security and interoperability requirements. The data users will only be able todownloadnon-personalelectronic healthdatafrom the secure processing environment. For data protection law specialists, it will be interesting to read that for the processing of electronic health data in the scope of a granted permit, the health data access bodies and the data users will be joint controllers in the sense of Article 26 of GDPR. As mentioned above,also data holdersmay host secure processing environments in which they provide access to users following a single holder request.
Each Member State will need to designate anational contact pointfor secondary use of electronic health data. The national contact point may be thehealth data access body. The Member States and the Commission will set upHealthData@EU,which will serve to support and facilitate the cross-border access to electronic health data for secondary use, connect the national contact points for secondary use of electronic health data of all Member States and authorise participants in that infrastructure.
Next steps
The draft EHDS Regulation has just been published by the European Commission and following the ordinary legislative procedure will now be sent to and discussed by the European Parliament and the Council. Once adopted, the EHDS Regulation will enter into force on the twentieth day following that of its publication. It shall apply from 12 months after its entry into force, however enforcement of certain provisions will be further delayed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.